APPENDIX 1: DATA PROCESSING ANNEX

1 BACKGROUND, PURPOSE AND RULES IN CASE OF CONFLICT

1.1 This Data Processing Agreement ("DPA") sets out the terms and conditions for the processing of Personal Data by Supplier on behalf of Customer under the Agreement between the Parties ("Agreement"). This DPA is an essential and inseparable part of the Agreement.

1.2 The Parties shall supplement this DPA with more detailed information on each of the respective Personal Data processing operations under the Agreement in supplements to be incorporated herein (each a "Supplement"), by filling in the Data Protection Supplement Template, attached hereto as Appendix 1.1. Supplements eventually entered into after the Effective Date of the Agreement will be attached hereto as Appendices. In the event of any discrepancy between the content of this DPA and a Supplement, the content of the Supplement prevails.

1.3 Supplier acts as a Processor and Customer acts as a Controller of Personal Data as defined in Data Protection Regulation.

1.4 In the event of any discrepancy between the content of the body of this DPA and appendices thereto, the Agreement or any of the appendices thereto, Data Protection Regulation or Standard Contractual Clauses, the following order of precedence shall be applied:

i) Data Protection Regulation, including Standard Contractual Clauses
ii) The Agreement and any appendices thereto
iii) This DPA and any appendices thereto

2 DEFINITIONS

Data Protection Regulation means all applicable laws relating to protection of personal data, including without limitation the laws implementing EU Directive 95/46/EC EU and Directive 2002/58/EC, the GDPR and any amendments thereto.

Data Subject means a natural person whose Personal Data is processed by Supplier under this DPA and the Agreement.

GDPR means the EU General Data Protection Regulation (2016/679/EC).

Personal Data means any information relating to an identified or identifiable natural person, and which Supplier is processing under the Agreement or otherwise, and of which Customer is a data controller. In this regard, processing means any operation, or set of operations, performed by Supplier on Personal Data, by any means, such as collecting, organizing, storing, amending, retrieving, using, disclosing, transmitting, combining, blocking, erasing or destructing Personal Data.

Personal Data Breach means a breach of security leading to destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed, which is adverse to this DPA or Data Protection Regulation or otherwise unlawful.

Standard Contractual Clauses means the contractual clauses issued by the European Commission by the decision 2010/87/EU for international transfers of Personal Data, and any amendments thereto.

3 RIGHTS AND RESPONSIBILITIES OF CUSTOMER

3.1 Customer shall process Personal Data in compliance with Data Protection Regulation and good data processing practice.

3.2 Customer's complete written instructions on processing of Personal Data are given in this DPA. Customer shall have the right to give Supplier new documented instructions during the term of this DPA. Customer's new documented instructions to Supplier require a written agreement between the Parties. Supplier is entitled to charge for additional costs for complying with new documented instructions from Customer.

4 RESPONSIBILITIES OF SUPPLIER

4.1 General principles applicable to the processing of Personal Data

Supplier shall

4.1.1 process Personal Data in compliance with Data Protection Regulation and good data processing practice;
4.1.2 process Personal Data on documented instructions from Customer referred to in section 3.2 of this DPA, unless prescribed otherwise by a provision of Data Protection Regulation applicable to Supplier. Supplier shall inform Customer of such requirement in reasonable time before beginning the processing of Personal Data in accordance with the instructions, unless informing of such requirement is prohibited in Data Protection Regulation. In case Supplier considers that instructions of Customer are in breach of Data Protection Regulation, Supplier shall inform Customer without undue delay;
4.1.3 ensure that Supplier's staff with access to Personal Data have committed themselves to appropriate confidentiality;
4.1.4 carry out the measures prescribed in section 4.2 of this DPA;
4.1.5 follow the conditions concerning the use of subcontractors prescribed in section 7 of this DPA;
4.1.6 taking into account the information available to Supplier, provide reasonable assistance to Customer in responding to requests for exercising the rights of Data Subjects where Customer does not have the information needed for response. Supplier is entitled to charge Customer for costs and expenses that were incurred as a result of complying with this clause 4.1.6;
4.1.7 taking into account the information available to Supplier, provide reasonable assistance to Customer in ensuring compliance with its obligations set out in Data Protection Regulation, relating to data security, Personal Data Breaches further defined in section 6 of this DPA, data protection impact assessments, and prior consulting obligations. Supplier is entitled to charge Customer for costs and expenses that were incurred as a result of complying with this clause 4.1.7;
4.1.8 at the choice of Customer, delete or return Personal Data to Customer as prescribed in section 10.2 of this DPA;
4.1.9 make available to Customer all information necessary to demonstrate compliance with obligations set out in this DPA and in Data Protection Regulation. Customer is obliged to keep all such information confidential. Supplier is entitled to charge Customer for costs and expenses that were incurred as a result of complying with this clause 4.1.9; and
4.1.10 allow Customer to perform audits as prescribed in section 8 of this DPA.

4.2 Data security

4.2.1 Supplier shall implement technical and organizational measures to ensure an appropriate level of security to protect Personal Data against unauthorized access and loss, destruction, damage, alteration or disclosure, or against other unlawful processing.

5 PERSONAL DATA BREACH NOTIFICATION

5.1 Supplier shall notify Customer of all Personal Data Breaches without undue delay, but no later than two (2) business days after Supplier has become aware of the Personal Data Breach. The notification shall contain the following:

(a) description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects concerned and the categories and approximate number of data records concerned;
(b) name and contact details of the contact person of Supplier handling the Personal Data Breach;
(c) description of likely consequences and/or realized consequences of the Personal Data Breach; and
(d) description of the measures Supplier has taken to address the Personal Data Breach and to mitigate its adverse effects.

5.2 If it is not possible to provide the information listed at the same time, the information may be provided in phases.
5.3 Supplier shall document all Personal Data Breaches and disclose the documentation to Customer upon Customer's request.
5.4 Customer shall notify Supplier without delay if Customer suspects Personal Data Breach.
5.5 After Supplier has become aware of the Personal Data Breach, Supplier shall ensure security of Personal Data and take appropriate measures to ensure protection of Personal Data in cooperation with Customer.

6 TRANSFERS OF PERSONAL DATA

6.1 Supplier shall not transfer Personal Data outside the borders of the European Economic Area (EEA) without written consent from Customer. Consent given by Customer as prescribed in this section 6.1 shall be irrevocable.

6.2 Where Customer has given consent prescribed in section 6.1, mechanism to export Personal Data shall be Standard Contractual Clauses or another valid mechanism under Data Protection Regulation as jointly agreed between the Parties.

6.3 If the Customer wishes to block access to Personal Data from outside the EEA, the Customer must take care of this when creating user accounts and in the instructions. The Supplier does not implement a technical restriction to prevent the use of the Software Service from outside the EEA.

7 SUBCONTRACTORS

7.1 Supplier is entitled to use subcontractors in processing Personal Data. On the Effective Date of this DPA, the subcontractors in processing Personal Data are listed in Appendix 1.2.

7.2 Supplier is entitled to reduce the number of subcontractors without separate notice.

7.3 Supplier shall inform Customer about the intended addition of a subcontractor at least fourteen (14) days prior to intended processing of Personal Data by the subcontractor.

7.4 Supplier shall take appropriate measures to ensure that the used subcontractors comply with the obligations specified in this DPA, including security and confidentiality requirements. Supplier is responsible for the performance of its subcontractors as it is responsible for the performance of its own obligations.

7.5 Supplier is entitled to use such subcontractors without any limitations who do not process Personal Data.

8 AUDITING

8.1 When Customer requests for an audit, Customer shall appoint a third party who is not in direct competition with Supplier to audit Supplier's compliance with obligations set out in this DPA, in order for Customer to ensure that Supplier has fulfilled the obligations set out in this DPA. Customer shall ensure that such third party complies with the confidentiality obligations set out in the Agreement with regard to Supplier's confidential information received in connection with the audit. Customer has the right to request an audit prescribed in this Section 8.1 in every twelve (12) months. Customer shall bear the costs and expenses incurred by Supplier and Customer in connection with the audit, and the costs and expenses of the third party. Supplier shall assist Customer and the third party in conducting the audit with reasonable measures.

8.2 When Customer requests for an audit of Supplier's compliance with obligations set out in this DPA, Supplier has a right, but no obligation, to perform the audit on Supplier's own account, and shall disclose Customer an audit report. In this case, Customer shall not have additional right to audit Supplier provided that

8.2.1 the audit has been performed by a recognized, independent third party appointed by Supplier, with proven experience in the field;  

8.2.2 the audit report is not older than twelve (12) months;

8.2.3 audits have been conducted regularly, at least in every twelve (12) months; and

8.2.4 Supplier shall disclose a report of the audit to Customer. Customer shall comply with the confidentiality obligations set out in the Agreement with regard to Supplier's confidential information received in connection with the audit.

8.3 If the audit reveals shortcomings, Supplier shall correct such shortcomings without delay or at the latest within thirty (30) days of a written notice from Customer, unless the Parties agree otherwise. Any material shortcomings that pose an obvious threat to data security shall be rectified without undue delay.

9 LIMITATION OF LIABILITY

9.1 What is agreed on limitation of liability in the Agreement will also apply to this DPA.

9.2 For the sake of clarity, neither of the Parties is responsible for other Party's fines and penalties issued by the authorities.

10 TERM, TERMINATION AND TRANSFER OF DPA

10.1 This DPA becomes effective together with the Agreement, and continues to be in effect until termination or expiration of the Agreement, unless otherwise agreed on processing of Personal Data between the Parties.

10.2 Supplier shall process Personal Data only during the term of this DPA. Upon termination or expiry of this DPA, or upon Customer’s written request, Supplier shall either destroy or return, either to Customer or to a third party designated by Customer in writing, Personal Data processed, unless otherwise required by Data Protection Regulation or other applicable legislation. In case Customer demands Personal Data to be returned to Customer or transferred to a third party, Customer will pay Supplier for any costs caused by return or transfer of Personal Data.

10.3 What is agreed on transfer of the Agreement in the Agreement shall also be applied to transfer of this DPA

11 SUPPLEMENTS

APPENDIX 1.1 Data Protection Supplement
APPENDIX 1.2 Subcontractors

APPENDIX 1.1 DATA PROTECTION SUPPLEMENT

1 BACKGROUND AND PURPOSE OF THIS SUPPLEMENT

1.1 This Supplement is made under and attached to the Data Processing Agreement between Customer and Supplier. This Supplement is an inseparable part of the DPA.

1.2 The Parties conclude this Supplement to agree the following:

(a) nature and purposes of processing Personal Data;
(b) the Personal Data processed;
(c) the categories of Data Subjects;
(d) the technical and organizational measures as referred to in section 4.2 of the DPA; and
(e) duration of Personal Data processing.

1.3 Supplier undertakes to process Personal Data on behalf of Customer and in accordance with the terms and conditions of the DPA and this Supplement for the purpose of providing the services under the Agreement.  

2 NATURE AND PURPOSES OF PROCESSING PERSONAL DATA

Supplier shall process Personal Data for the following purposes:

Supplier provides the Software Service defined in the Agreement. Supplier also provides the technical platform for the Software Service and performs technical maintenance work. In addition, Supplier provides support services to the Customer, and is allowed to login to the service for this purpose.

3 PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS

Supplier shall process following categories of Personal Data:

1. Software Service: name, email, password, daily work-time records, workday length, balance fixes.
2. Log information: user name, IP address

Personal Data listed above concern following categories of Data Subjects:
(a) Customer’s employees
(b) Subcontractors working for the Customer
(c) Other users of the Service

4 DATA SECURITY

Customer shall process Personal Data in compliance with Data Protection Regulation and good data processing practice. Especially the following practices are followed when processing Personal Data:

• Customer Data is backed up on daily basis to two separate physical locations
• Administrative connection to the Software Service is encrypted
• Customer’s connection is only allowed via encrypted connection
• All the software components are regularly updated to the latest version
• Good data security practices are followed in the development of the service.

5 DURATION OF PERSONAL DATA PROCESSING

Personal Data shall be processed as long as it is necessary for provision of services under the Agreement.

APPENDIX 1.2 SUBCONTRACTORS

1 SUBCONTRATORS PROCESSING PERSONAL DATA

The following subcontractors are processing Personal Data on the Effective Date of this DPA: No subcontractors

2 OTHER SUBCONTRATORS

The following subcontractors are participating the production of Software Service but do not process Personal Data.

UpCloud Oy
2431560-5 Eteläranta 12, 6. krs, 00130 Helsinki - asiakaspalvelu@upcloud.com, +358 9 3158 4810
The Supplier of the virtual servers used by Software Service.

Triuvare Oy
1953731-8, Viinikankatu 47, 33800 TAMPERE - tuki@triuvare.fi, +358 3 4102 2492
Administration of the virtual servers.